Bradley, Manna. The Calculus of Computation, Springer, 2007
.pdf270 10 Combining Decision Procedures
Example 10.1. Consider the (ΣE ΣZ )-formula
F : 1 ≤ x x ≤ 2 f (x) 6=f (1) f (x) 6=f (2) .
Chapter 9 describes a decision procedure for TE, while Chapter 7 presents a decision procedure for TZ . We would like to combine these decision procedures to decide the (TE TZ)-satisfiability of F and other quantifier-free (ΣE ΣZ )- formulae.
The Nelson-Oppen combination method (N-O method) combines decision procedures for the quantifier-free fragments of several theories into one decision procedure for the quantifier-free fragment of the union theory. In our presentation of the N-O method, we usually discuss combining two theories and their decision procedures; however, the N-O method can combine an arbitrary number of theories and procedures. Additionally, we restrict ourselves to considering conjunctive formulae; however, the satisfiability of arbitrary (quantifier-free) formulae can be considered by converting to DNF and checking each disjunct.
Besides being restricted to quantifier-free formulae, the N-O method has two additional restrictions. First, the signatures Σ1 and Σ2 can only share equality =:
Σ1 ∩ Σ2 = {=} .
Second, the theories T1 and T2 must be stably infinite.
A theory T with signature Σ is stably infinite if for every quantifier-free Σ-formula F , if F is T -satisfiable, then there exists some T -interpretation that satisfies F and has a domain of infinite cardinality. We illustrate this
concept with two example theories. |
|
Example 10.2. Consider the theory Ta,b with signature |
|
Σ2 : {a, b, =} , |
|
where both a and b are constants, and axiom |
|
1. x. x = a x = b |
(two) |
Because of axiom (two), every Ta,b-interpretation I : (DI , αI ) is such that
the domain DI |
has at most two elements: |DI | ≤ 2. Hence, Ta,b is not stably |
infinite. |
|
Example 10.3. We prove that TE is stably infinite. Consider the TE-satisfiable quantifier-free ΣE-formula F with arbitrary satisfying TE-interpretation I : (DI , αI ) in which αI maps = to =I . Let A be any infinite set disjoint from DI . Then construct new interpretation J : (DJ , αJ ):
• DJ = DI A
• αJ = {=
v1 =J
10.2 Nelson-Oppen Method: Nondeterministic Version |
271 |
7→=J , . . .}, where for v1, v2 DJ ,
v2 |
def |
|
v1 =I v2 |
if v1, v2 DI |
= |
|
if v1 is the same element as v2 |
||
|
|
|
otherwise |
|
|
|
|
|
J is a TE-interpretation satisfying F with infinite domain. Hence, TE is stably infinite.
The other theories discussed in this book are also stably infinite.
Example 10.4. Consider the quantifier-free conjunctive (ΣE ΣZ )-formula
F : 1 ≤ x x ≤ 2 f (x) 6=f (1) f (x) 6=f (2) .
The signatures of TE and TZ only share =. Also, both theories are stably infinite. Hence, the N-O combination of the decision procedures for TE and TZ decides the (TE TZ)-satisfiability of F .
Intuitively, F is (TE TZ )-unsatisfiable. For the first two literals imply
x = 1 x = 2 so that f (x) = f (1) |
f (x) = f (2). Yet the last two literals |
contradict this conclusion. |
|
10.2 Nelson-Oppen Method: Nondeterministic Version
In this section, we discuss the nondeterministic version of the N-O method. While simple to present, it su ers from high complexity. Section 10.3 reformulates the method to be deterministic and e cient.
Consider a quantifier-free conjunctive (Σ1 Σ2)-formula F . The N-O method proceeds in two steps.
10.2.1 Phase 1: Variable Abstraction
The variable abstraction phase transforms a quantifier-free conjunctive formula F into two quantifier-free conjunctive formulae, a Σ1-formula F1 and a Σ2-formula F2, such that F and F1 F2 are (T1 T2)-equisatisfiable. That is, F is (T1 T2)-satisfiable i F1 F2 is (T1 T2)-satisfiable. F1 and F2 are linked via a set of shared variables.
For term t, let hd(t) be the root symbol; e.g., hd(f (x)) = f . Then for i, j {1, 2} and i 6=j, repeat the following transformations as long as possible:
1. if function f Σi and hd(t) Σj ,
F [f (t1, . . . , t, . . . , tn)] = F [f (t1, . . . , w, . . . , tn)] w = t
2. if predicate p Σi and hd(t) Σj ,
F [p(t1, . . . , t, . . . , tn)] = F [p(t1, . . . , w, . . . , tn)] w = t
272 10 Combining Decision Procedures
3. if hd(s) Σi and hd(t) Σj ,
F [s = t] = F [w = t] w = s
w is a fresh variable in each application of a transformation. Transformation 3 also applies to s 6=t literals: replace F [s 6=t] with F [w 6=t] w = s.
After applying the transformations, each literal of the resulting formula falls entirely within the signature of one of the two theories (or possibly within each if it is just an equality x = y or a disequality x 6=y between variables: such literals are in every signature since they do not have symbols other than =). Divide the literals into two sets, one for each theory. These sets are not disjoint when there is a literal that is an equality or disequality between variables. Then return the conjunction of each set.
Example 10.5. Consider (ΣE ΣZ)-formula
F : 1 ≤ x x ≤ 2 f (x) 6=f (1) f (x) 6=f (2) .
Since f Σ= and 1 ΣZ , replace f (1) by f (w1) and add w1 = 1 by transformation 1. Similarly, replace f (2) by f (w2) and add w2 = 2.
Now, the literals
1 ≤ x, x ≤ 2, w1 = 1, and w2 = 2
are TZ-literals, while the literals
f (x) 6=f (w1) and f (x) 6=f (w2)
are TE-literals. Hence, construct the ΣZ-formula
FZ : 1 ≤ x x ≤ 2 w1 = 1 w2 = 2
and the ΣE-formula
FE : f (x) 6=f (w1) f (x) 6=f (w2) .
FZ and FE share the variables x, w1, and w2. FZ FE is (TE TZ )-equisatisfiable
to F . |
|
Example 10.6. Consider the (ΣE ΣZ )-formula |
|
F : f (x) = x + y x ≤ y + z x + z ≤ y |
y = 1 f (x) 6=f (2) . |
Intuitively, F is (TE TZ)-satisfiable: consider an interpretation in which x = 0, y = 1, z = 1, f (0) = 1, and f (2) = 2.
In the first literal, hd(f (x)) = f ΣE and hd(x + y) = + ΣZ ; thus, by transformation 3, replace the literal with
w1 = x + y w1 = f (x) .
10.2 Nelson-Oppen Method: Nondeterministic Version |
273 |
In the last literal, f ΣE but 2 ΣZ , so by transformation 1, replace it with
f (x) 6=f (w2) w2 = 2 .
Now, separating the literals results in two formulae:
FZ : w1 = x + y x ≤ y + z x + z ≤ y y = 1 w2 = 2
is a ΣZ-formula, and
FE : w1 = f (x) f (x) 6=f (w2)
is a ΣE-formula. The conjunction FZ FE is (TE TZ )-equisatisfiable to F .
10.2.2 Phase 2: Guess and Check
Phase 1 separates (Σ1 Σ2)-formula F into two formulae, Σ1-formula F1, and Σ2-formula F2. F1 and F2 are linked by a set of shared variables. Let
V = shared(F1, F2) = free(F1) ∩ free(F2)
be the shared variables of F1 and F2. Let E be an equivalence relation over V . The arrangement α(V, E) of V induced by E is the formula
α(V, E) : |
u = v |
u 6=v , |
|
u,v V. uEv |
V. |
|
^ |
u,v ^¬(uEv) |
which asserts that variables related by E are equal and that variables unrelated by E are not equal. The formula F is (T1 T2)-satisfiable i there exists an equivalence relation E of V such that
•F1 α(V, E) is T1-satisfiable, and
•F2 α(V, E) is T2-satisfiable.
Otherwise, F is (T1 T2)-unsatisfiable.
Example 10.7. Consider (ΣE ΣZ)-formula
F : 1 ≤ x x ≤ 2 f (x) 6=f (1) f (x) 6=f (2) .
Phase 1 separates this formula into the ΣZ -formula
FZ : 1 ≤ x x ≤ 2 w1 = 1 w2 = 2
and the ΣE-formula
FE : f (x) 6=f (w1) f (x) 6=f (w2) ,
with
V = shared(FZ , FE ) = {x, w1, w2} .
There are 5 equivalence relations to consider, which we list by stating the partitions:
27410 Combining Decision Procedures
1.{{x, w1, w2}}, i.e., x = w1 = w2: FE α(V, E) is TE-unsatisfiable because it cannot be the case that both x = w1 and f (x) 6=f (w1).
2.{{x, w1}, {w2}}, i.e., x = w1, x 6=w2: FE α(V, E) is TE-unsatisfiable because it cannot be the case that both x = w1 and f (x) 6=f (w1).
3.{{x, w2}, {w1}}, i.e., x = w2, x 6=w1: FE α(V, E) is TE-unsatisfiable because it cannot be the case that both x = w2 and f (x) 6=f (w2).
4.{{x}, {w1, w2}}, i.e., x 6=w1, w1 = w2: FZ α(V, E) is TZ -unsatisfiable because it cannot be the case that both w1 = w2 and w1 = 1 w2 = 2.
5.{{x}, {w1}, {w2}}, i.e., x 6=w1, x 6=w2, w1 6=w2: FZ α(V, E) is TZ - unsatisfiable because it cannot be the case that both x 6=w1 x 6=w2 and x = w1 = 1 x = w2 = 2 (since 1 ≤ x ≤ 2 implies that x = 1 x = 2 in TZ).
Hence, F is (TE TZ )-unsatisfiable. |
|
Example 10.8. Consider the (Σcons ΣZ )-formula |
|
F : car(x) + car(y) = z cons(x, z) 6=cons(y, z) . |
|
After two applications of transformation 1, Phase 1 separates F into the Σcons- formula
Fcons : w1 = car(x) w2 = car(y) cons(x, z) 6=cons(y, z)
and the ΣZ -formula
FZ : w1 + w2 = z ,
with
V = shared(Fcons, FZ ) = {z, w1, w2} .
Consider the equivalence relation E given by the partition
{{z}, {w1}, {w2}} .
The arrangement
α(V, E) : z 6=w1 z 6=w2 w1 6=w2
satisfies both Fcons and FZ : Fcons α(V, E) is Tcons-satisfiable, and FZ α(V, E) is TZ-satisfiable. Hence, F is (Tcons TZ )-satisfiable.
10.2.3 Practical E ciency
Phase 2 is formulated as “guess and check”: first, guess an equivalence relation E, then check the induced arrangement. Unfortunately, the number of equivalence relations increases significantly with the number of shared variables. The
10.2 Nelson-Oppen Method: Nondeterministic Version |
275 |
number of equivalence relations is given by the sequence of Bell numbers, which grows super-exponentially. For example, just 12 shared variables induce over four million equivalence relations. Hence, the guess-and-check method is impractical.
However, there is no need to guess the entire equivalence relation at once; instead, construct it incrementally, as the following example illustrates:
Example 10.9. In Example 10.6, Phase 1 separates the (ΣE ΣZ )-formula
F : f (x) = x + y x ≤ y + z x + z ≤ y y = 1 f (x) 6=f (2) into ΣZ -formula
FZ : w1 = x + y x ≤ y + z x + z ≤ y y = 1 w2 = 2 and ΣE-formula
FE : w1 = f (x) f (x) 6=f (w2)
Then
V = shared(FZ , FE ) = {x, w1, w2} .
We attempt to construct an arrangement.
1.Suppose x = w1. But then w1 = x + y of FZ implies that y = 0, yet FZ asserts that y = 1. Hence, x 6=w1.
2. |
FZ x 6=w1 and FE x 6=w1 are TZ - and TE-satisfiable, respectively. |
|
3. |
Suppose x = w2. But f (x) 6=f (w2) of FE contradicts this supposition. |
|
|
Hence, x 6=w2. |
x 6=w2 are TZ - and |
4. |
FZ x 6=w1 x 6=w2 and FE x 6=w1 |
|
|
TE-satisfiable, respectively. |
|
5. |
Suppose w1 = w2. No contradiction exists. |
|
We discovered the arrangement |
|
|
|
x 6=w1 x 6=w2 w1 = w2 , |
|
so F is (TE TZ )-satisfiable. |
|
|
Readers interested in implementing a simple Nelson-Oppen-based decision procedure could consider this incremental-construction “optimization” of the nondeterministic method. However, in practice, implementations are based on the deterministic method described in the next section.
276 10 Combining Decision Procedures
10.3 Nelson-Oppen Method: Deterministic Version
Phase 1 of the deterministic version is the same as in the nondeterministic version.
Phase 2 of the nondeterministic method (both the guess-and-check method and the optimized incremental construction) proposes a set of equalities and disequalities and then lets each decision procedure Pi check the set with the corresponding formula Fi. In contrast, Phase 2 of the deterministic version asks the decision procedures P1 and P2 to propagate information in the form of new equalities.
A convex theory is particularly well-suited for propagating equalities. Section 10.3.1 discusses convex theories. Then Section 10.3.2 presents the deterministic Nelson-Oppen method.
10.3.1 Convex Theories
If a conjunctive formula in a convex theory implies a disjunction of equalities between variables, then it actually implies a single equality. Formally, consider a quantifier-free conjunctive Σ-formula F and a disjunction
|
n |
|
G : |
ui = vi , |
(10.1) |
|
i=1 |
|
for variables ui and vi. Theory T is convex if for every such F and G, if
|
n |
|
F |
|
ui = vi |
|
i=1 |
|
then |
|
|
F |
ui |
= vi for some i {1, . . . , n} . |
If F implies G, then F actually implies one of the disjuncts of G. Intuitively, F cannot be “covered” by any disjunction of equalities — no
matter how many — if no single equality covers F (F is covered by a formula if F implies it). This intuition is especially apparent for vector spaces (Section 8.2): a plane cannot be covered by a finite disjunction of lines; it cannot even be covered by a finite disjunction of other planes unless at least one of the planes is the plane itself.
Example 10.10. The theory of integers TZ is not convex. For consider the quantifier-free conjunctive ΣZ-formula
F : 1 ≤ z z ≤ 2 u = 1 v = 2 .
Then
10.3 Nelson-Oppen Method: Deterministic Version |
277 |
F z = u z = v ,
but neither
F z = u nor F z = v .
Example 10.11. The theory of arrays TA is not convex. For consider the quantifier-free conjunctive ΣA-formula
F : ahi vi[j] = v .
Then
F i = j a[j] = v ,
but neither
F i = j nor F a[j] = v .
The theory of rationals TQ is convex, as it is convex in a geometric sense (see Chapter 8).
Each equality ui = vi of the disjunction G of (10.1) is geometrically convex, but G itself is not. Consider, for example,
H : x = y x = z .
Let SH be the set of points satisfying H. The point (x, y, z) = (0, 0, 1) is included in SH , as is the point (1, 0, 1). However, the average of the two points, ( 12 , 0, 1) (choosing λ = 12 ), is not in SH . Indeed, choose any two points
(u, u, v1) and (w, v2 , w)
from Sx=y and Sx=z , respectively, such that neither is in their intersection Sx=y=z (i.e., v1 6= u and v2 6= w). Then for any λ (0, 1), the point
(λu + (1 − λ)w, λu + (1 − λ)v2, λv1 + (1 − λ)w)
is neither in Sx=y nor in Sx=z .
|
Suppose, then, that F G : |
n |
ui = vi, but for no i {1, . . . , n} does |
|||||||
|
i=1 |
|||||||||
F |
|
u |
i = vi. Then it must be |
the case that there are two points s |
1 |
and s |
2 |
of |
||
|
|
W |
|
|
|
|
||||
SF in separate subsets Sui =vi , Suj =vj , i 6= j, of SG. By the argument above, the points on the line segment between s1 and s2 are not in SG and thus not in SF . Then F is not geometrically convex, a contradiction.
Thus, TQ is convex.
Exercise 10.5 asks the reader to prove that the theories TE and Tcons are also convex.
278 10 Combining Decision Procedures
10.3.2 Phase 2: Equality Propagation
Recall that the nondeterministic version guesses an equivalence relation E over the shared variables V and checks that both F1 α(V, E) is T1-satisfiable and F2 α(V, E) is T2-satisfiable. If it finds a satisfying equivalence relation E, it declares that F is (T1 T2)-satisfiable. This method su ers from the enormous number of equivalence relations that are possible even over small sets of shared variables. In the deterministic version, a central manager asks the decision procedures P1 and P2 to report any new implied equalities between shared variables. It then adds this new information to the already discovered equalities and propagates it to the other decision procedure. This method is e cient.
In the context of already discovered equalities E, a decision procedure Pi for a convex theory Ti discovers a new equality u = v, for shared variables u and v, when
Fi E u = v .
The central manager then propagates this new equality to the other decision procedure.
If Tj is not convex, Pj discovers a new disjunction of equalities S when
i |
_ |
Fj E |
(ui = vi) , |
u =vi S
for shared variables ui and vi. In this case, the central manager must split the disjunction and search along multiple branches. Each branch assumes one of the disjuncts. The search along a branch ends either when a full arrangement is discovered (so the original formula is (T1 T2)-satisfiable; see below) or when all sub-branches end in contradiction (Ti-unsatisfiability for some i). In the latter case, the central manager tries another branch. If no branches remain to try, then the central manager declares the original formula to be
(T1 T2)-unsatisfiable.
If at some point, neither P1 nor P2 finds a new equality (or a disjunction of equalities in the non-convex case), then the central manager concludes that the given formula is (T1 T2)-satisfiable. For if E is the set of all learned equalities, S is the set of all possible remaining equalities, and
i |
_ |
_ |
|
F1 E 6 |
|
(ui = vi) and F2 E 6 |
(ui = vi) , |
u =vi S |
ui =vi S |
|
|
(which must hold when no new disjunctions of equalities are discovered), then
i |
^ |
(ui 6=vi) and F2 E |
^ |
F1 E |
|
(ui 6=vi) |
|
u =vi S |
|
ui =vi S |
|
are T1-satisfiable and T2-satisfiable, respectively. Hence, the discovered arrangement is
|
10.3 Nelson-Oppen Method: Deterministic Version 279 |
i |
^ |
α(V, E) = E |
(ui 6=vi) , |
u =vi S
and F is (T1 T2)-satisfiable.
Example 10.13. Consider the (ΣE ΣQ)-formula
F : f (f (x) − f (y)) 6=f (z) x ≤ y y + z ≤ x 0 ≤ z .
F is (TE TQ )-unsatisfiable: the final three literals imply that z = 0 and x = y, so that f (x) = f (y). But then from the first literal, f (0) 6=f (0) since both f (x) − f (y) and z equal 0.
Phase 1 separates F into two formulae. According to transformation 1, it replaces f (x) by u, f (y) by v, and u − v by w, resulting in ΣE-formula
FE : f (w) 6=f (z) u = f (x) v = f (y) and ΣQ -formula
FQ : x ≤ y y + z ≤ x 0 ≤ z w = u − v , with
V = shared(FE, FQ ) = {x, y, z, u, v, w} .
Recall that TE and TQ are convex theories. The decision procedure PQ for TQ discovers
FQ x = y
from x ≤ y y + z ≤ x 0 ≤ z, so
E1 : x = y .
Then PE discovers the new congruence f (x) = f (y) from x = y, so that
FE E1 u = v , yielding
E2 : x = y u = v .
But then
FQ E2 z = w
since w = u − v = 0, according to u = v, and z = 0. Propagating this equality back to PE via
E3 : x = y u = v z = w